OpenSSL vulnerabilities - June 2015 Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-15-014 Final 1 1 2015-06-11T00:00:00 Current version 2015-06-11T00:00:00 2015-06-11T00:00:00 None OpenSSL released a security advisory in June 2015 to announce multiple security vulnerabilities. Denial of service and memory corruption With regards to the recent OpenSSL updates to address CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791 and CVE-2015-1792, Fortinet will update OpenSSL for the following products that contain the affected versions of OpenSSL: FortiOS 5.2.3 and earlier FortiManager 5.2.2 and earlier FortiAnalyzer 5.2.2 and earlier FortiMail 5.0.8/5.1.5/5.2.4 and earlier FortiAuthenticator (versions before 4.0) AscenLink 7.2.4 and earlier FortiRecorder 2.0 and earlier FortiWan 4.0.2 and earlier FortiClient Windows/Mac 5.2.3 and earlier FortiClient Android 5.2.5 and earlier Fortinet believes the exploitability and risk in these issues are low or non-existent, but the following workarounds are suggested for customers unable to deploy an update when available: CVE-2015-1788 workaround: Limit access to features that validates TLS client authentication with a certificate CVE-2015-1789 workaround: Limit access to features that validates TLS client authentication with a certificate or which verify CRLs when used as a TLS client CVE-2015-1790 workaround: Limit access to devices that can import PKCS7. CVE-2015-1791 workaround : Fortinet products are not affected. CVE-2015-1792 workaround: Limit access to features that handles S/MIME messages. Special consideration for CVE-2015-4000 “Logjam”: See FortiGuard bulletin FG-IR-15-013 The following products must be upgraded to the updated versions: FortiOS 4.3.16, FortiOS 5.0.8 or above, FortiOS 5.2.3 or earlier FortiManager 5.0.9 or earlier FortiAnalyzer 5.0.9 or earlier FortiAP 5.0.8 or earlier AscenLink 7.2.3 or earlier FortiADC 4.2.0 or earlier FortiAuthenticator 3.1.0 or earlier FortiCache 3.0.0 or earlier FortiClient Windows/MAC 5.2.3 or earlier FortiClient iOS 5.2.1 or earlier FortiClient Android 5.2.6 or earlier FortiDDoS 4.1.5 or earlier FortiMail 4.3.10 or earlier FortiRecorder 2.0.1 or earlier FortiSandbox 2.0.0 or earlier FortiVoice Enterprise 3.0.6 or earlier FortiWeb 5.3.3 or earlier FSSO build 235 or earlier For all products, please contact Fortinet TAC support for updates on the patched release current ETA. https://fortiguard.fortinet.com/psirt/FG-IR-15-014 OpenSSL vulnerabilities - June 2015 https://openssl.org/news/secadv_20150611.txt https://openssl.org/news/secadv_20150611.txt CVE-2014-8176 CVE-2015-1788 CVE-2015-1789 CVE-2015-1790 CVE-2015-1791 CVE-2015-1792 https://fortiguard.fortinet.com/psirt/FG-IR-15-014 OpenSSL vulnerabilities - June 2015 Reference> https://openssl.org/news/secadv_20150611.txt https://openssl.org/news/secadv_20150611.txt